Solved

Win32/Exploit.MSWord.Smtag trojan

Posted on 2008-06-25
4
1,459 Views
Last Modified: 2013-11-22
A large MS Word (Office 2003, SP 3) document that I work on regularly appears to have been infected with a trojan this morning.  I'm running ESET / NOD32 (v3217 (20080625)).  This was the NOD32 warning:

Time      Module      Object      Name      Threat      Action      User      Information
6/25/2008 9:48:59 AM      AMON      file      <full path> a variant of Win32/Exploit.MSWord.Smtag trojan <machine name>\jdana      Event occurred at an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.

NOD32 was unable to clean the file.  The error message simply reads, "Unable to clean."

Here's the interesting twist: The file was reported infected after the 3217 update.  The 3218 update arrived minutes ago, and suddenly NOD32 reports the file is clean.  Was I looking at a "false positive" from NOD32?   Is there an online tool I can use to verify the file is, in fact, clean?
0
Comment
Question by:jdana
4 Comments
 
LVL 20

Accepted Solution

by:
IndiGenus earned 168 total points
ID: 21867554
Yes sounds like it was a false positive. To make sure you could upload the file to one of the online scanners. It will be scanned by almost every engine out there....

Go to http://virusscan.jotti.org, click on Browse, and upload the file for analysis:

If Jotti is too busy you can try these.

http://www.kaspersky.com/scanforvirus.html
http://www.virustotal.com/en/indexf.html
0
 

Assisted Solution

by:vbuckjr
vbuckjr earned 166 total points
ID: 21868126
This is a false positive they had a bad signature file go out in 3217 have corrected it with the 3218 update, you can follow this link to a discussion of this problem.

http://www.wilderssecurity.com/showthread.php?p=1268309



0
 

Assisted Solution

by:Bene007
Bene007 earned 166 total points
ID: 21875092
The proposal is quite correct.
I installed on the 25 of june, the version 3218 (now it is still 3221!) and i get no more false positive !
But, I have to tell you that the 25 opf june the option scan and clean 've deleted some old Word Files !
The option in the action tab doesn't explain that.
Benedicte
0
 

Author Closing Comment

by:jdana
ID: 31470655
Sure enough, the "shadow" trojan vanished with the update.  Thanks for the assistance.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question